Lexmark Multifunction Laser Common Criteria Installation Supplement and Admini - Page 12

3

Type a unique name to identify the template. Use a descriptive name, such as ”Administrator_Only” or

“Authenticated_Users,” and then touch

Done

.

4

On the Authentication Setup screen, select the internal accounts building block, and then touch

Done

.

5

On the Authorization Setup screen, select the internal accounts building block, and then touch

Done

.

6

Select one or more groups to be included in the template, and then touch

Done

to save your changes and return

to the Edit Security Templates screen.

Modifying or deleting an existing security template

Note:

You can delete a security template only if it is not in use; however, security templates currently in use can be

modified.

From the home screen, touch

>

Security

>

Edit Security Setups

>

Edit Security Templates

.

•

To remove all security templates, touch

Delete List

.

•

To remove an individual security template, select it from the list, and then touch

Delete Entry

.

•

To modify an individual security template, select it from the list, and then touch

Open Entry

.

Controlling access to device functions

Access to device functions can be restricted by applying security templates to individual functions. For a list of access

controls and what they do, see “Access controls” on page 47.

1

From the home screen, touch

>

Security

>

Edit Security Setups

>

Edit Access Controls

.

2

Select the appropriate level of protection for each function, as specified in the following table. It may be necessary

to scroll through several screens to set all access controls.

3

After assigning an appropriate security template to all functions, touch

Submit

.

Levels of protection include:

•

Administrator access only

—This can be an internal account or a security template, as long as it provides

administrator

‑

only authentication and authorization.

•

Authenticated users only

—This can be an internal account or a security template, as long as it provides access to

authenticated users only. These access controls must

not

be set to

No Security

.

•

Disabled

—This disables access to a function for all users and administrators.

•

Not applicable

—The function has been disabled by another setting. No change is required, although it is

recommended that you set these access controls to


or

Disabled

.

Access controls and required levels of protection

Access control

Level of protection

Security Menu at the Device


Security Menu Remotely


Service Engineer Menus at the Device


Service Engineer Menus Remotely


Configuration Menu

Disabled

12

Section	Page
Installation Supplement and Administrator Guide	1
Contents	3
Overview and first steps	5
Overview	5
Using this guide	5
Supported devices	5
Operating environment	6
Before configuring the device (required)	6
Verifying physical interfaces and installed firmware	6
Attaching a lock	7
Encrypting the hard disk	7
Disabling the USB buffer	8
Installing the minimum configuration	9
Configuring the device	9
Configuration checklist	9
Configuring disk wiping	9
Enabling the backup password (optional)	9
Creating user accounts	10
Creating security templates	11
Controlling access to device functions	12
Disabling home screen icons	14
Administering the device	15
Using the Embedded Web Server	15
Settings for network-connected devices	15
Creating and modifying digital certificates	15
Setting up IPSec	17
Disabling the AppleTalk protocol	18
Shutting down port access	18
Other settings and functions	19
Network Time Protocol	19
Kerberos	19
Security audit logging	20
E-mail	22
Fax	24
Configuring security reset jumper behavior	25
User access	25
Creating user accounts through the EWS	25
Configuring LDAP+GSSAPI	27
Configuring Common Access Card access	30
Creating security templates using the EWS	32
Controlling access to device functions	33
Configuring PKI Held Jobs	33
Controlling access to device functions using the EWS	34
Troubleshooting	37
Login issues	37
“Unsupported USB Device” error message	37
Make sure a supported Smart Card reader is attached	37
The printer home screen fails to return to a locked state when not in use	37
Make sure the authentication token is installed and running	37
Make sure PKI Authentication is installed and running	37
Login screen does not appear when a Smart Card is inserted	37
Make sure the Smart Card is recognized by the reader	37
“The KDC and MFP clocks are different beyond an acceptable range; check the MFP's date and time” err ...	38
Verify the date and time on the printer	38
“Kerberos configuration file has not been uploaded” error message	38
Make sure the Kerberos file has been uploaded	38
Users are unable to authenticate	38
Make sure the Realm specified in the Kerberos settings is in uppercase	38
“The Domain Controller Issuing Certificate has not been installed” error message	39
Make sure that the correct certificate has been installed on the printer	39
“The KDC did not respond within the required time” error message	39
Make sure the IP address or host name of the KDC is correct	39
Make sure the KDC is available	39
Make sure Port 88 is not blocked by a firewall	39
“User's Realm was not found in the Kerberos Configuration file” error message	39
Make sure the Windows Domain is specified in the Kerberos settings	39
“Realm on the card was not found in the Kerberos Configuration File” error message	40
Upload a Kerberos configuration file and make sure the realm has been added to the file	40
“Client [NAME] unknown” error message	40
Verify that the Domain Controller information is correct	40
Login does not respond at “Getting User Info”	40
User is logged out almost immediately after logging in	40
Increase the Panel Login Timeout interval	40
LDAP issues	41
LDAP lookups take a long time and then fail	41
Make sure Port 389 (non-SSL) and Port 636 (SSL) are not blocked by a firewall	41
Make sure the LDAP search base is not too broad in scope	41
LDAP lookups fail almost immediately	41
Verify that the Address Book Setup contains the host name for the LDAP server	41
Verify or adjust Address Book Setup settings	41
Narrow the LDAP search base	41
Verify that the LDAP attributes being searched for are correct	41
Held Jobs/Print Release Lite issues	42
“You are not authorized to use this feature” Held Jobs error message	42
Add the user to the appropriate Active Directory group	42
“Unable to determine Windows User ID” error message	42
Make sure PKI Authentication is setting the user ID for the session	42
“There are no jobs available for [USER]” error message	42
Make sure PKI Authentication is setting the correct user ID	42
Make sure the jobs were sent to the correct printer and were printed	42
Jobs are printing out immediately	43
Make sure PKI Held Jobs is installed and running	43
Make sure all jobs are required to be held	43
Appendix A: Using the touch screen	44
Appendix B: Acronyms	46
Appendix C: Description of access controls	47
Access controls	47
Appendix D: Using Common Access Cards	50
Using a Common Access Card to access the printer	50
Notices	51
LEXMARK SOFTWARE LICENSE AGREEMENT	51

Lexmark Multifunction Laser Common Criteria Installation Supplement and Admini - Page 12

Controlling access to device functions

Page 12 highlights