HP 635n HP Jetdirect Print Servers - How to Use 802.1X on HP Jetdirect Print S - Page 15

What Equipment is Required for 802.1X? - jetdirect ipv6 ipsec print server

Get HP 635n - JetDirect IPv6/IPsec Print Server PDF manuals and user guides
UPC - 882780301016
View all HP 635n manuals
Add to My Manuals
Save this manual to your list of manuals

Page 15 highlights

can store one Identity certificate and one CA certificate. The CA certificate tells Jetdirect which identity certificates should be trusted (i.e., must be signed by that CA) when Jetdirect is receiving a certificate from another entity. Jetdirect's Identity certificate is the certificate that is sent out when another entity requests it. It is important to note that the CA certificate on Jetdirect is configured strictly to provide the trust point for identity certificates that are sent to Jetdirect - the identity certificates received from other entities must be signed by that CA or be part of a chain which ends in that CA. Since Jetdirect only has one Identity certificate that can be configured, it must be capable of being used in a variety of situations. Jetdirect can act as a client or a server, depending on the protocol being used. For instance, if a web browser is using HTTPS to communicate to Jetdirect, Jetdirect will return its Identity certificate as part of the SSL/TLS negotiation process, which will identify Jetdirect as a server. In other cases, like EAP-TLS, Jetdirect will send its Identity certificate for client authentication. By default, Jetdirect will create a "self-signed" certificate the first time it is powered on. This certificate is not secure because it has not been signed by a trusted CA. An important step in the security of a Jetdirect product is to replace the default self-signed Identity certificate with one that has been signed by a trusted CA. What Equipment is Required for 802.1X? Essentially, we need the following: • A printer or Jetdirect device (Supplicant) that supports 802.1X • A switch (Authenticator) that supports port-based authentication via 802.1X • A RADIUS server (Authentication Server), such as the Internet Authentication Service (IAS) from Microsoft Many HP Jetdirect devices can be upgraded for free to support 802.1X. Refer to http://www.hp.com/go/webjetadmin_firmware for the latest firmware updates. HP Jetdirect products that support 802.1X are as follows: • J7934A/J7934G 620n EIO 10/100TX Print Server with the latest firmware available - PEAP Support • J7960A/J7960G 625n EIO 10/100/1000T Print Server with the latest firmware available - PEAP support • J7997G 630n EIO 10/100/1000T Print Server with the latest firmware available - PEAP & EAP-TLS support • J7961A/J7961G 635n EIO IPv6 & IPsec Print Server with the latest firmware available - PEAP & EAP-TLS support • J8007G 690n EIO Wireless 802.11b/g Print Server - PEAP & EAP-TLS & LEAP support • Embedded Jetdirect products with the latest firmware available - PEAP & EAP-TLS support • J7942A/J7942G en3700 USB External Print Server with the latest firmware available - PEAP support. Microsoft's IAS comes with Windows Server 2003. This means that two of the three items needed for 802.1X authentication are potentially free! All that is needed is the switch (Authenticator). Ethernet switches have long supported 802.1X. Check your switch documentation for information on whether or not it is supported. The HP ProCurve line of edge devices support 802.1X with higher-end edge switches supporting rich methods of assigning VLANs, bandwidth constraints, access control lists, etc. Refer to http://www.hp.com/go/procurve Rather than generically explain what is necessary to setup and configure 802.1X for HP Jetdirect, this whitepaper will go through a step-by-step tutorial of sample installations and configurations of the 802.1X components. 15

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
15
can store one Identity certificate and one CA certificate.
The CA certificate tells Jetdirect which
identity certificates should be trusted (i.e., must be signed by that CA) when Jetdirect is receiving a
certificate from another entity.
Jetdirect’s Identity certificate is the certificate that is sent out when
another entity requests it. It is important to note that the CA certificate on Jetdirect is configured strictly
to provide the trust point for identity certificates that are sent to Jetdirect – the identity certificates
received from other entities must be signed by that CA or be part of a chain which ends in that CA.
Since Jetdirect only has one Identity certificate that can be configured, it must be capable of being
used in a variety of situations.
Jetdirect can act as a client or a server, depending on the protocol
being used.
For instance, if a web browser is using HTTPS to communicate to Jetdirect, Jetdirect will
return its Identity certificate as part of the SSL/TLS negotiation process, which will identify Jetdirect as
a server.
In other cases, like EAP-TLS, Jetdirect will send its Identity certificate for client authentication.
By default, Jetdirect will create a “self-signed” certificate the first time it is powered on.
This certificate
is not secure because it has not been signed by a trusted CA.
An important step in the security of a
Jetdirect product is to replace the default self-signed Identity certificate with one that has been signed
by a trusted CA.
What Equipment is Required for 802.1X?
Essentially, we need the following:
A printer or Jetdirect device (Supplicant) that supports 802.1X
A switch (Authenticator) that supports port-based authentication via 802.1X
A RADIUS server (Authentication Server), such as the Internet Authentication Service (IAS)
from Microsoft
Many HP Jetdirect devices can be upgraded for free to support 802.1X.
Refer to
for the latest firmware updates. HP Jetdirect products
that support 802.1X are as follows:
J7934A/J7934G 620n EIO 10/100TX Print Server with the latest firmware available – PEAP
Support
J7960A/J7960G 625n EIO 10/100/1000T Print Server with the latest firmware available –
PEAP support
J7997G 630n EIO 10/100/1000T Print Server with the latest firmware available – PEAP &
EAP-TLS support
J7961A/J7961G 635n EIO IPv6 & IPsec Print Server with the latest firmware available –
PEAP & EAP-TLS support
J8007G 690n EIO Wireless 802.11b/g Print Server – PEAP & EAP-TLS & LEAP support
Embedded Jetdirect products with the latest firmware available – PEAP & EAP-TLS support
J7942A/J7942G en3700 USB External Print Server with the latest firmware available – PEAP
support.
Microsoft’s IAS comes with Windows Server 2003.
This means that two of the three items needed for
802.1X authentication are potentially free!
All that is needed is the switch (Authenticator).
Ethernet switches have long supported 802.1X.
Check your switch documentation for information on
whether or not it is supported.
The HP ProCurve line of edge devices support 802.1X with higher-end
edge switches supporting rich methods of assigning VLANs, bandwidth constraints, access control
lists, etc.
Refer to
Rather than generically explain what is necessary to setup and configure 802.1X for HP Jetdirect, this
whitepaper will go through a step-by-step tutorial of sample installations and configurations of the
802.1X components.