Configuring PEAP with a Zebra Mobile Printer and a Symbol WS5100 Wireless Switch

The following is an example that shows how to configure a Zebra mobile printer in conjunction with a Symbol WS5100 Wireless Switch. In this example the RADIUS authentication server is Microsoft’s Internet Authentication Service (IAS). NOTE: This document does not cover installation and configuration of IAS. In order to complete this example it is assumed that our network user already exists in Active Directory on a Windows domain server. For this example our network user is named “peap” with a password of “password”.

Q. What is PEAP? A. Protected Extensible Authentication Protocol is an IEEE 802.1x EAP security method that uses an initial TLS handshake to authenticate a server to a client using PKI (Public Key Infrastructure) cryptography X.509 digital certificates. Using the secure tunnel established by the TLS handshake, a RADIUS (Remote Authentication Dial-In User Service) server is used to authenticate a client using legacy username and password authentication before allowing wireless access onto the network. The server proves its identity to the client (our Zebra mobile printer) by passing a digital certificate to the printer. An optional root certificate is stored on the printer which is used to help prove the identity of the server. The printer authenticates to the server by sending its username and password inside the secure TLS tunnel. Encryption keys are then generated securing all communications traffic between the wireless client and the network. In this example we will be using a Symbol WS5100 Wireless Switch (the EAP authenticator), and IAS (the authentication server) running on Windows Server 2003. The firmware level on the Symbol switch used for this example was release 3.0.1.0-145R. The version of PEAP supported in the TLS tunnel is the Microsoft implementation of MS-CHAPv2. Our first example will be standard PEAP which uses WEP encryption. Our second example will be WPA2 PEAP with AES encryption. To begin, make sure that the printer model you wish to configure for PEAP has an SH3 microprocessor. You can determine this by performing a 2-key self test (power on the printer with the Feed button pressed, and release it once the self test starts printing). Verify that in the second part of the test in the Program section that the Software version begins with SH. If your printer does not show this information then you do not have an SH3 processor, which is a requirement for PEAP authentication on a Zebra mobile printer. In order to support WPA2 with AES a Zebra mobile printer with an 802.11G radio is required. WPA with TKIP encryption can be used with Zebra mobile printers equipped with an 802.11B radio.

Configure the WS5100 controller for PEAP authentication We will setup a wireless network on the WS5100. Using a web browser, connect to the controller via its web interface using the IP address for the wired side port of the WS5100. NOTE: The Symbol management applet uses Java, and may require that your browser be updated to run the applet successfully. Browse to the Network section, select Wireless LANs, and view the Configuration tab. Double-click an unused entry (‘WLAN1’ in this example).

In the Edit dialog leave all settings at their defaults except for the following:

• Enter your ESSID and optionally its name • Select 802.1X EAP • Check WEP 128 encryption

No WEP key is required.

Now click the ‘Radius Config…’ button and enter the IP address, port, and shared secret for the RADIUS server. Leave all other settings at their default.

Click <OK> on each dialog to dismiss them. Since we are using IAS we will disable the WS5100 internal RADIUS server. Traverse to the Security section and select the Radius Server entry. On the Configuration tab click ‘Stop the RADIUS server’.

We are now ready to enable the new WLAN. Go back to the Wireless LANs section under Network, and highlight the WLAN just created. Click the ‘Enable’ button at the bottom of the dialog. The wireless LAN configuration is now complete.

Configure the Zebra mobile printer for PEAP authentication

To setup the Zebra mobile printer we must configure the appropriate printer parameters to enable PEAP authentication. For this example we will be using the Zebra Label Vista utility v3.4.4. Label Vista is a free label creation and configuration utility for Zebra mobile printers. The latest version can be downloaded from the Drivers & Downloads area on http://www.zebra.com. There are two ways to authenticate a client onto the wireless network using PEAP. First, we will authenticate onto the network without the server’s root certificate installed on the printer. In this configuration the printer will automatically trust the server’s identity during authentication. Later we will export the server’s root certificate from the IAS server, and install the certificate on the printer. This will enable the printer to validate the server’s identity during the authentication process. Run Label Vista and configure it to match your printer’s port settings. In the Printer menu select Com Port Setup. Verify the printer’s current settings by running a 2-key self-test (power on the printer with the Feed button pressed, and release it once the test starts printing). Match the com port settings to your printer, or select USB and pick the appropriate printer in the USB printer selection at the bottom of the dialog. Click <OK>.

In the Printer menu select Network Settings. Select the Network tab and configure the ESSID and DHCP settings appropriately.

Select the RF Settings tab and ensure the printer is configured for Infrastructure mode.

Select the Protocols tab. For this example ensure that all protocols are checked.

Next, select the Encryption tab and verify that Encryption mode is “OFF”. When using 802.1x PEAP the underlying encryption is WEP, and its configuration is handled automatically as part of the handshake and authentication process.

Verify that LEAP and Kerberos are not checked on the Authentication tab.

On the 802.1x/WPA tab configure the printer for 802.1x, PEAP, and enter the user name and password for the account that will be wirelessly authenticating onto the network. In our example that would be our domain user “peap”. Click <OK>.

The printer will be reprogrammed with this new information and will reset. Once the printer has finished rebooting it will associate to the WS5100 and then authenticate to the network. If your printer model has an LCD display you should see the following messages displayed for a couple of seconds prior to the regular menu appearing.

In this example our test printer was configured for DHCP. If we examine the WS5100 association log we will see that our printer has been authenticated and granted access onto the network, and received an IP address.

Finally, we can verify that our printer has been successfully authenticated onto the wireless network by examining the IAS System event log.

Using the RADIUS server root certificate for server validation Next, we will export the root certificate from the IAS authentication server and install it on our mobile printer. Note: Use of this certificate file is optional. The PEAP draft strongly recommends the use of this certificate, but does not require it. If this file is present on the printer, it must be the appropriate root certificate for the authenticating server, and is used to verify the server’s identity. If it is not present the server’s identity is automatically trusted as in the previous example. In this example our certificate authority (CA) is a test CA running on a Windows Server 2003 system on our test network. Certificate files are normally generated by a trusted 3rd-party CA.

Run an instance of the Microsoft Management Console.

Add a certificate snap-in to the management console as shown in the following screen shots.

Click <OK> to complete the addition of the certificates snap-in.

Double click on the CA’s certificate as shown below.

Select ‘Copy to File…’ on the Details tab and export the file as shown below.

The resulting root certificate file must be renamed from CacertSv.cer to CacertSv.nrd (case is not important). This file is in the required PEM format and is ready to be stored in the printer’s flash memory. To store the certificate file on the printer we will again use the Label Vista utility. In Label Vista’s Printer menu select Send File, and browse to the location where you saved the CacertSv.nrd file. Check the ‘Store to flash file system’ box and click the ‘Send’ button.

Power cycle the printer and when the printer boots up it will again associate to the WS5100, but it will now verify the validity of the IAS server’s certificate before entering the secure tunnel. If the validation fails the printer will not authenticate onto the network. If the validation is successful then the printer will complete the handshake with the RADIUS server, passing its username and password within the secure tunnel.

Implementing WPA Security In the next example we will reconfigure our network to use WPA2 and AES-CCMP. We will also change our printer to use WPA. NOTE: Zebra wireless mobile printers automatically negotiate the best available WPA key management and encryption cipher during the association with an access point. There are no individual printer selections for WPA2, TKIP, or AES. Turning on WPA enables all of them for use.

On the WS5100, browse to the Network section, select Wireless LANs, and view the Configuration tab. Double-click on the wireless LAN we previously configured for PEAP (‘WLAN1’ in this example). Check the WPA2-CCMP box in the Encryption section and click <OK>. Our test printer for this example contains a Zebra embedded ‘B/G’ radio. When the printer associates with the access point it will negotiate a security level of WPA2/AES. If the switch was instead configured for WPA/WPA2-TKIP, the printer would negotiate a WPA2/TKIP security level. If both check boxes are selected then the printer would negotiate the more secure WPA2/AES level of security. NOTE: Zebra mobile printers containing a Symbol or Zebra embedded ‘B’ radio do not support WPA2 or AES, and will negotiate to WPA/TKIP security if it is enabled on the WS5100.

On the Zebra printer we only need to make one change to enable WPA. As mentioned previously, the WPA security level is automatically negotiated with the access point. To enable all WPA support select Network Settings in Label Vista’s Printer menu and click the 802.1x/WPA tab. Check the ‘WPA’ radio button and click <OK>.

The printer will be reprogrammed with this new information and will reset. Once the printer has rebooted it will associate to the WS5100, and then authenticate to the network using WPA2 and AES (see WS5100 Details dialog for the printer).