HP 635n HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S
HP 635n - JetDirect IPv6/IPsec Print Server Manual
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals |
HP 635n manual content summary:
- HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 1
802.1X on HP Jetdirect Print Servers May 2008 Table of Contents: Introduction ...2 What is 802.1X? ...6 Public Key Infrastructure and Public Key Certificate Basics 7 What Equipment is Required for 802.1X 15 Installing the Internet Authentication Service (IAS 16 Installing a Certificate Authority - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 2
example, some generic user types are shown in Figure 1 - User Types: Figure 1 - User Types An Authorized User is a user that has authenticated to the network and been given authorization to access certain resources. An Unauthorized User is a user that was unable to be authenticated and is placed in - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 3
problems - for example, an Authorized Server with a security vulnerability can be exploited by an Unauthorized User. Instead, we would like the wired network Authorized ` Ethernet Edge Switch Authorized User's Server Unauthorized Ethernet Edge Switch Guest Access Point Ethernet Edge Switch - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 4
is fine for users, but what about printers and MFPs? Well, the nice part about 802.1X is that wired HP Jetdirect print servers support it. All we need to do is create users in Active Directory that correspond to Jetdirect-based printers and printer management servers, and we can do what is shown - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 5
Figure 5, printers and MFPs become full-fledged authenticated users of the network and are assigned parameters that help them participate in the security and protection of the network and its resources. This whitepaper will discuss IEEE 802.1X Port Access Control, in relation to printing and imaging - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 6
frames for normal network operation. With HP ProCurve switches, the Authentication Server can return much more information, such as the VLAN the Supplicant should be assigned, bandwidth restrictions on the Supplicant, etc., and the switch dynamically configures itself to support those parameters. 6 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 7
Protected EAP or PEAP. Many HP Jetdirect products also support EAP-Transport Layer Security or EAP-TLS. These two EAP flavors are the most popular for wired 802.1X deployments. Both protocols utilize SSL/TLS running under EAP to authenticate the Authentication Server which sets up a secure tunnel - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 8
the message is trying to say is that "RootCA", who issued the certificate "635n", is not trusted. A useful analogy is to think of the certificate issuer like Alert dialog is troubling because it is indicative of a trust problem. In the terms of our analogy, it would be like a driver, who has been - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 9
known as symmetric cryptography. Symmetric cryptography commonly has two attributes associated with it: • It performs well - it is fast and easy to implement • It has a key distribution problem - how do you get the symmetric key to everyone that needs it in a secure way? Asymmetric cryptography is - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 10
associated with asymmetric cryptography • It is slow • It has a trust problem. How do I know that this is John's public key and not someone pretending to be John? To solve the first problem, asymmetric cryptography is usually used to securely distribute symmetric keys and sign - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 11
• A hash - also known as a message digest. A hash is the output of a one way function that attempts to ensure the integrity of the message (i.e., that the message has not been altered). It is usually combined with authentication information to ensure that the message originator can be authenticated - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 12
Jack's private key, which no one should know but Jack, John can be sure that Jack was the one that sent it. We still have a problem - How does John know that Jack's public key really belongs to the person that he knows as "Jack"? There are many people in the world - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 13
Jack Create Key Pair Jack's Public Key Jack's Private Key Identity Info + CA's Public Key Jack Jack's Private Key (Stays Private) Jack's Public Key Certificate Request Certificate Authority CA's Private Key (Also performs Identity Verification on Jack) Identity Info + CA Info + Jack's - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 14
revolve around Microsoft's certificate authority that comes with Windows 2003 server. Each company establishes their own Public Key Infrastructure (PKI) basics around certificates, we can talk specifically about Jetdirect. Jetdirect is an embedded system and as a result, has limited storage space - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 15
Print Server with the latest firmware available - PEAP & EAP-TLS support • J7961A/J7961G 635n EIO IPv6 & IPsec Print Server with the latest firmware available - PEAP & EAP-TLS support • J8007G 690n EIO Wireless 802.11b/g Print Server - PEAP & EAP-TLS & LEAP support • Embedded Jetdirect products - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 16
Authentication Service Installing a Certificate Authority Creating a Certificate Template Issuing a Certificate Creating a User for HP Jetdirect Switch Configuration HP Jetdirect Certificate Configuration IAS Configuration HP Jetdirect 802.1X Configuration Microsoft ships a RADIUS server by - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 17
Select Networking Services and press Details. Then select Internet Authentication Service and press OK. Complete the wizard and allow the installation to complete. 17 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 18
Service Installing a Certificate Authority Creating a Certificate Template Issuing a Certificate Creating a User for HP Jetdirect Switch Configuration HP Jetdirect Certificate Configuration IAS Configuration HP Jetdirect 802.1X Configuration Using Windows 2003 Enterprise Edition or Windows Server - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 19
other kind of CA, the certificate template functionality described below will not be available. Here is our CA identity information. Click Next and complete the installation. Once the installation has completed, we can go to Start -> Run -> mmc 19 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 20
The Microsoft Management Console is a framework that allows various "Snap-Ins" to be loaded. Each "Snap-In" manages a specific service. For example, there is a "Snap-In" to manage the Certificate Authority (or Certification Authority as Microsoft sometimes calls it). At this point, we want to - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 21
Click Add. Select Certificate Templates, then press "Add". Select Certification Authority, then press "Add". Then press Close. 21 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 22
Select "Local Computer". Then click Finish. Select OK. 22 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 23
Done. 23 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 24
can be created for services. The Microsoft CA has some predefined templates to help the administrator. Microsoft also allows you to create new templates. We will illustrate a process of creating a certificate template specifically for an HP Jetdirect print server. Note: The certificate template - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 25
Provide the names you would like the certificate template to have. Select the "Allow private key to be exported" checkbox in the Request Handling tab. 25 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 26
Select the Application Policies extension in the Extensions tab. Click Edit. Click Add... 26 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 27
Select Client Authentication, then click OK. Click OK. 27 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 28
Click OK. Now we have created a new certificate template, we need to enable it to be used by the Certification Authority. Select Certificate Templates under Certification Authority. Now right click and select New and then "Certificate Template to Issue". 28 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 29
Select HP Jetdirect and click OK. View the Certificate Templates folder in the Certification Authority snapin MMC, and make sure that the HP Jetdirect template is present. Done. 29 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 30
6 Step 7 Step 8 Step 9 Installing Internet Authentication Service Installing a Certificate Authority Creating a Certificate Template Issuing a Certificate Creating a User for HP Jetdirect Switch Configuration HP Jetdirect Certificate Configuration IAS Configuration HP Jetdirect 802.1X Configuration - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 31
Select "Current [RootCA]", then DER (or Base 64 if you are using an older Jetdirect product), then click "Download CA certificate", Click Save. 31 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 32
Name the file "cacert.cer". We'll use this file later when we are configuring Jetdirect. We also want to install the CA certificate chain on the local computer. This will allow the browser to recognize certificates issued by the CA as trusted. Click "Install this CA certificate chain". Click Yes. 32 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 33
secure way (and preferred way) of installing a certificate. If your HP Jetdirect firmware is earlier than V.36.11 (e.g., V.29.20, V.31.08), please refer to Appendix B for instructions on how to import a certificate. First, we need to create a CSR on Jetdirect. Click on the "Networking" tab and go to - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 34
Select "Create Certificate Request" and then click "Next". Enter in the fields that describe the devices. Click "Next". Jetdirect generates the public/private key pair, which can take a little while. 34 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 35
You can save the file, or you can simply copy the text starting and including "----BEGIN CERTIFICAT REQUEST-----" up to and including the last five dashes of the "END CERTIFICATE REQUEST-----" Moving back to the web interface of the Enterprise CA. We have skipped a couple of screen shots and are at - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 36
Here we paste in our Certificate Request and select the HP Jetdirect certificate template. Then click "Submit". Now we have our certificate. Most Jetdirect cards support both DER and Base64, but all support Base64. Simply click "Download Certificate". 36 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 37
6 Step 7 Step 8 Step 9 Installing Internet Authentication Service Installing a Certificate Authority Creating a Certificate Template Issuing a Certificate Creating a User for HP Jetdirect Switch Configuration HP Jetdirect Certificate Configuration IAS Configuration HP Jetdirect 802.1X Configuration - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 38
In Active Directory Users and computers, we want to go to the view menu and make sure "Advanced Features" is checked. Click on the Account tab and make sure that the Account Options has "Password never expires" selected. Enter the Logon name, typically the hostname, of the HP Jetdirect card. 38 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 39
Click the DialIn tab and select "Allow access". Then Click OK. At this point, we will want to associate the public key certificate of the Jetdirect print server with the HP Jetdirect account. Select the HP Jetdirect user account. Right click and select Name Mappings. 39 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 40
6 Step 7 Step 8 Step 9 Installing Internet Authentication Service Installing a Certificate Authority Creating a Certificate Template Issuing a Certificate Creating a User for HP Jetdirect Switch Configuration HP Jetdirect Certificate Configuration IAS Configuration HP Jetdirect 802.1X Configuration - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 41
by SSL, IPsec, as well as 802.1X EAP authentication. Because multiple authentication methods use these certificates, we created the certificates using the certificate template to act as both a client and server. One of the challenges of 802.1X configuration on HP Jetdirect print server is that there - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 42
install HP Jetdirect certificates, the CA certificate, and configure 802.1X, we need to use the Embedded Web Server (EWS). Point IE at the IP Address of the HP Jetdirect device. With the 635n print server, the browser is automatically redirected to use SSL (https://) For other HP Jetdirect products - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 43
, the above dialog will change. Here we have our home page of the HP Jetdirect device. Click the "Networking" Tab. This screen allows anonymous post sales information to be gathered about the HP Jetdirect configuration. This initiative is completely voluntary. Click Yes or No, depending on your - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 44
two certificates on HP Jetdirect. One is the HP Jetdirect Identity certificate used for SSL, certain EAP protocols, IPsec, etc... The HP Jetdirect what CA it is supposed to trust. This CA certificate becomes very important for certain 802.1X EAP methods. Certificates may be exchanged and HP Jetdirect - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 45
Click "Configure..." under the "CA Certificate" heading. Install is our only option. Click "Next". 45 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 46
Point the web browser to the "cacert.cer" file that was created earlier. Click "Finish". Done! Now we want to install the Identity Certificate. 46 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 47
" We are done! Now we have the files that represent Jetdirect's identity certificate and the public key certificate of the CA we trust. We can setup the IAS server. NOTE: In later HP Jetdirect firmware versions, when a certificate is installed, you are able to protect the private key by restricting - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 48
6 Step 7 Step 8 Step 9 Installing Internet Authentication Service Installing a Certificate Authority Creating a Certificate Template Issuing a Certificate Creating a User for HP Jetdirect Switch Configuration HP Jetdirect Certificate Configuration IAS Configuration HP Jetdirect 802.1X Configuration - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 49
Here is the main screen for IAS. What we need to do is define the switch as a RADIUS Client. We know the switch that will be acting as the Authenticator. Input a friendly name and the IP address of the switch. Click "Next". 49 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 50
the drop down list for "ClientVendor". To communicate with the radius server, a shared secret needs to be established. Use the same value Authentication. Let's go ahead and define a Remote Access Policy for Printing and Imaging Devices. We'll call it PID. Back to the main screen of IAS, - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 51
Create a new policy. A wizard starts. Click "Next". 51 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 52
Select "Use the wizard..." and give the policy a name. Since we are defining a policy for Printing and Imaging Devices, we'll call it PID. Click "Next". Select "Ethernet". Click "Next". 52 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 53
Select "User". Click "Next". Select "Smart Card or other certificate". Click "Next". 53 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 54
Click "Finish". Highlight the PID policy and right click and bring up the Properties. Select "Grant remote access permission". Press "Edit Profile...". 54 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 55
Uncheck all check boxes. Press "EAP Methods". Select "Smart Card or other certificate" and then click "Edit..." 55 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 56
Select the certificate for the machine. Click OK. Highlight the "Connection Request Policies" and make sure it has "Use Windows authentication for all users". 56 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 57
6 Step 7 Step 8 Step 9 Installing Internet Authentication Service Installing a Certificate Authority Creating a Certificate Template Issuing a Certificate Creating a User for HP Jetdirect Switch Configuration HP Jetdirect Certificate Configuration IAS Configuration HP Jetdirect 802.1X Configuration - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 58
, leave this field blank which instructs Jetdirect to match any name that is returned, provided the certificate is trusted. • Encryption Strength: This field determines the minimum strength of the SSL tunnel by determining what ciphers are advertised by the Jetdirect card in the TLS Client Hello - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 59
At this point, we want to move our HP Jetdirect to port 8 of the switch. This will force 802.1X authentication to happen. We can review the event log on the system that is running our IAS server to determine whether authentication has been successful or not. In the Event Viewer, under System, 802.1X - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 60
be configured and manipulated without having to use the network. This capability makes troubleshooting easier. With HP Jetdirect, the network must be used to configure 802.1X, which is difficult to troubleshoot when problems arise. Once HP Jetdirect is configured for 802.1X authentication, 802.1X - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 61
need to be on a non-802.1X port when performing either of those two reset methods. In Appendix A: Troubleshooting 802.1X, we will cover network trace analysis for HP Jetdirect and some common errors that can be seen and diagnosed through these traces. Understanding Certificate Chains The previous - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 62
certificates to Subordinate CAs, also known as Intermediate CAs, and they do the dirty work of issuing certificates to various entities in the customer's network. The Root CA is then shutdown and locked up in a secure room with this information backed up in several places. The Root CA establishes - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 63
Figure 23 - Certification Path In the certificate itself, there is only one issuer which refers back to R2. We can see that in Figure 24: Figure 24 - Issued By What does R2's certificate look like? We can see it in Figure 25: 63 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 64
Figure 25 - Issued By Notice that R2's certificate is issued by RootCA. What does RootCA's certificate look like? Let's look at Figure 26. Figure 26 - Issued By 64 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 65
Key INCORRECT! RootCA's Digital Signature hpprinter's configured CA Certificate hpprinter.example.internal hpprinter's Public Key R2's Digital Signature hpprinter's Identity Certificate Figure 27 - Incorrect HP Jetdirect CA Configuration. The Subordinate CA cannot be used as the CA certificate - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 66
.example.internal hpprinter's Public Key R2's Digital Signature hpprinter's Identity Certificate Figure 28 - Correct HP Jetdirect CA Configuration Be sure the Root CA of your CA Hierarchy has its public key certificate configured on Jetdirect! Utilizing the Server ID Field on Jetdirect In - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 67
Figure 29 - IAS Certificate Click on the "Details" tab and go to the "Subject" line as shown in Figure 30. 67 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 68
Figure 30 - IAS Subject Here we can see the Common Name (CN) in the subject field is ias.example.internal. This becomes the value that the server ID field must be configured to match. Before we get into that configuration, it is important to understand another practical deployment procedure used by - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 69
is the Common Name for the second IAS server (in the certificate's Subject field), Jetdirect now can receive one of two names for the Authentication Server • ias.example.internal • ias2.example.internal Jetdirect's Server ID field handles these situations via the following algorithm in Figure - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 70
. Here, the server ias2.example.internal will be REJECTED because it is not a rightmost subset of the name. As we can see, Jetdirect's Server ID field allows for fine grained use of which certificate will be accepted and can be configured to support multiple Authentication Servers without accepting - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 71
In Figure 33, we see a proper configuration for this setup (Matching Example 2). Figure 33 - Correct Server ID For Example 2 In Figure 34, we see an improper setup. 71 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 72
and 802.1X The new HP Jetdirect 690n Wireless 802.11b/g EIO card has 802.1X technology too. It also has a wired interface as you can see: The wired interface makes setting up the wireless interface much easier. In many cases where wireless is used for network printers and MFPs, it is because - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 73
• Only one network connection can be active at a time. Therefore, once the wireless you make a mistake on the wireless 802.1X settings and want to use a wired connection to diagnose the problem, you'll need to go into the control panel menu and Reset the 802.1X configuration before plugging in a - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 74
administrator to protect their Printing and Imaging assets. While Identity Driven Management techniques are powerful, they are not required. Using bundled software such as IAS and any switch that supports RADIUS and 802.1X port-based authentication, we can use HP Jetdirect to participate in almost - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 75
security page will be printed similar to the ones shown in this section. If your HP Jetdirect firmware doesn't support the 802.1X logging or is installed in a Digital Sender only product, we'll need to get a network trace to troubleshoot. Network switches that support 802.1X are fairly sophisticated - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 76
we know what a good trace is supposed to look like! EAP Unknown User Name Let's look at a common failure, which is when the username that HP Jetdirect is sending is unknown by the Authentication Server. Although we are using EAP-TLS, this information is also valid for PEAP. 76 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 77
Here, a simple mistake was made in the name: "wireles" was used instead of "wireless". Here is what a network trace would look like. 77 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 78
The first thing to check in this failure mode is the 802.1X User Name on Jetdirect. The Authentication Server does not recognize the user name that Jetdirect is sending back. That one was easy. Server Authentication Problem Once the EAP identity has been verified, the next step for both EAP-TLS and - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 79
cannot get the certificate for the local issuer. In other words, the certificate for RootCA is unavailable which points to the wrong CA certificate being installed on Jetdirect. Let's look at a network trace. 79 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 80
field must be configured to be a Root CA of the chain in use. • The 802.1X Server ID field on Jetdirect - be sure that it is configured correctly. You may try just to set it to blank until you can get 802.1X up and running. • - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 81
by R2, an intermediate certificate authority • "R2.example.internal" issued by RootCA, the root certificate authority. The first certificate is the IAS server's certificate that Jetdirect will check the Server ID field against. Therefore, the server ID field needs to be configured correctly based - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 82
.example.internal. The Authentication Server also sends back the R2.example.internal certificate. This certificate is issued by RootCA. Jetdirect also Problem Assuming that everything went ok with Server Authentication, then client authentication is the next area where there could be problems. - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 83
Notice that "TLS Server Authentication finished successfully". Based upon that message, we've eliminated a lot of things that could have gone wrong. However, the message "Alert Received: access denied" - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 84
Denied". There are a few of things to check: • The Jetdirect Identity Certificate must be configured • The Jetdirect Identity Certificate must be one the Authentication Server Trusts • The Jetdirect user in Active Directory must have Jetdirect's certificate mapped to the account that represents - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 85
Here is the log output from a successful PEAP negotiation. An important thing to notice is the EAPMSCHAPv2 client authentication method. There are a variety of ways that are used to send the username/password to the authentication server, this is one of them. 85 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 86
when using PEAP, the TLS connection is established without sending over the client certificate. There is one case where a wrong password can be configured on Jetdirect and get a failure. 86 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 87
The log shows password errors in PEAP very clearly! The network trace isn't as clear. 87 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 88
of 30 seconds). This type of trace would indicate that there is a password mismatch between Jetdirect and the Active Directory account that represents Jetdirect. Appendix B: Importing a Certificate Bring up the web server for the CA. Using the URL for the certsrv, we get to the web interface of - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 89
Click "Create and submit a request to this CA". 89 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 90
Be sure to select the Certificate Template "HP Jetdirect" and to check the checkbox entitled "Mark keys as exportable". Click Yes. 90 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 91
Click "Install this certificate" to install it on your local computer. We will export it and then delete it from this computer later. Click Yes. 91 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 92
Done. At this point, we want to export the certificate so that it can be loaded with its private key into Jetdirect. We need to bring up MMC again and load the Certificates snap-in. 92 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 93
Go to the File Menu and select Add/Remove Snap-In. Click "Add..." 93 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 94
Click "Certificates" Click "My user account" 94 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 95
Click "Local Computer" Select the folder "Certificates" under "Personal". Highlight the Jetdirect certificate issued. Right Click and select "Export..." 95 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 96
The "Certificate Export Wizard" launches - Press "Next" Since we are going to import this certificate into Jetdirect, we need to export the private key as well. Select "Yes, export the private key" and then click "Next". 96 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 97
Type a password to protect the private key. Click "Next". Name the file "jdcert.pfx" and click "Next" 97 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 98
Click Finish Click Ok. If you did not use the certificate request method of generating a certificate, we'll want to "Import the Certificate and Private Key" into Jetdirect. 98 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 99
Now we'll import the Jetdirect Certificate - click "Configure..." under the "Jetdirect Certificate" heading. Select "Import Certificate and Private Key". Click "Next". 99 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 100
Select the "jdcert.pfx" file that contains the private key of Jetdirect and the password that was used to protect the private key. Click "Finish". 100 - HP 635n | HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 101
May 2008 Hewlett-Packard Development Company, L.P. The information contained in this document is subject to change without notice. HP makes no warranty of any kind with respect to this information. HP specifically disclaims the implied warranty of merchantability and fitness for a particular purpose
1
How to Use 802.1X on HP Jetdirect Print Servers
May 2008
Table of Contents:
Introduction
.....................................................................................................................................
2
What is 802.1X?
.............................................................................................................................
6
Public Key Infrastructure and Public Key Certificate Basics
....................................................................
7
What Equipment is Required for 802.1X?
.........................................................................................
15
Installing the Internet Authentication Service (IAS)
..............................................................................
16
Installing a Certificate Authority (CA)
................................................................................................
18
Creating a Certificate Template
.......................................................................................................
24
Issuing a Certificate
........................................................................................................................
30
Creating a User for HP Jetdirect
.......................................................................................................
37
Switch Configuration
......................................................................................................................
40
HP Jetdirect Certificate Configuration
...............................................................................................
41
IAS Configuration
..........................................................................................................................
48
HP Jetdirect 802.1X Configuration
...................................................................................................
57
Understanding Certificate Chains
.....................................................................................................
61
Utilizing the Server ID Field on Jetdirect
............................................................................................
66
Wireless and 802.1X
.....................................................................................................................
72
ProCurve Switches and Identity Driven Management
..........................................................................
74
Summary
......................................................................................................................................
74
Appendix A: Troubleshooting 802.1X
..............................................................................................
75
Appendix B: Importing a Certificate
.................................................................................................
88
whitepaper