802.1X Advanced Configuration Help
Use this page to configure 802.1X authentication parameters on the printer that are used to connect to your network. Required information varies depending on the authentication method(s) you select for your network and security needs.
Note: Use caution when changing 802.1X authentication settings; you may lose your connection to the printer. Contact your network administrator before changing 802.1X settings.
802.1X
Select On to enable 802.1X on the printer. The default setting is Off.
Reauthenticate on Save
Select this checkbox for the new settings to become active immediately when you click the Save Changes button. Clearing this checkbox causes the 802.1X configuration settings to become active when the printer is restarted, enabling you to continue configuration.
Caution: If 802.1X Enable is set to On, and Reauthenticate on Save is also selected, clicking Save Changes may cause communication with your web browser to be interrupted.
Authentication Methods
Select the specific protocol(s) for 802.1X authentication on your network. All authentication methods are selected by default.
For more information about EAP methods, search by RFC number on the IETF website or on the RFC archive website.
- MD5 Challenge – See RFC 3748 – Method Digest 5 (MD5) Challenge lets a RADIUS server authenticate LAN stations by verifying an MD5 hash of each user's password. This is a simple choice for trusted Ethernet networks where there is a low risk of outsider sniffing or active attack. However, MD5 Challenge is not suitable for public Ethernet networks or wireless LANs because outsiders may easily sniff station identities and password hashes, or masquerade as access points to trick stations into authenticating with them.
- TLS – See RFC 4346 – Transport Layer Security (TLS) is a standard secure option for wireless LANs. TLS requires the station and RADIUS server to both prove their identities via public key cryptography, such as digital certificates or smart cards. This exchange is secured by an encrypted TLS tunnel, making TLS resistant to dictionary or other Man-in-the-middle attacks. However, the station's identity, which is the name bound to the certificate, may still be sniffed by outsiders. TLS may be most attractive to large enterprises that use only Windows XP/2000/2003 with deployed certificates.
- PEAP-MS-CHAPv2 (PEAP) – See RFC 2759 – Protected EAP (PEAP) requires certificate-based RADIUS server authentication, but supports an extensible set of user authentication methods. Organizations that have not yet issued certificates to every station, or do not want to, can use Windows logins and passwords instead. RADIUS servers that support PEAP can check LAN access requests with Windows Domain Controllers, Active Directories, and other existing user databases. From a sniffing perspective, PEAP may be as secure as TLS. PEAP is an internet draft proposed by Cisco and Microsoft, and requires a recent Windows operating system or service pack.
Server Validation
Authentication methods requiring this information are shown in parentheses on the configuration page.
Validate server using – This field displays the installed root certificate's friendly name. The default setting is No validation, which means that a root certificate is not installed. A root certificate is used to validate the authentication server's certificate. If a root certificate is not installed, server validation is not performed, and the device will accept any certificate from any authentication server. Root certificate file contents must be in base-64 encoded (PEM) or binary encoded (DER) format. Select from the following options:
- Install a new root certificate.
- Use the already existing root certificate – Friendly name is shown.
- No validation – Choose not to validate server.
Device Certificate
Authentication methods requiring this information are shown in parentheses on the configuration page. If you do not install a device certificate signed by a certificate authority (CA), the printer uses a self-signed device certificate.
Note: The device certificate is also used by other protocols, such as for secure access to the configuration web pages using HTTPS (SSL). Installing or creating a new device certificate may affect those protocols.
Authentication certificate – This field displays the installed device certificate's friendly name. The default setting is Default Self-Signed Certificate, which means that a signed device certificate is not installed and printer is using the default self-signed device certificate. Device certificate file contents must be in PEM, DER, PKCS7 or PKCS12 format. Select from the following options:
- Install a new device certificate.
- Use the Default Self-Signed Certificate.
- Use a custom self-signed certificate.
- Use already existing signed device certificate – Friendly name is shown.
Credentials
Authentication methods requiring this information are shown in parentheses on the configuration page. Depending on your network configuration, certain characters may not be allowed in these fields.
- User Name – Enter an alphanumeric user name up to 64 characters in length in this field. This field cannot be blank. The default setting is the DDNS/WINS Name from the TCP/IP Settings page in CentreWare IS.
Note: Include the Windows domain or login realm in the user name, for example: DOMAIN\user or user@realm.
- Password/Verify Password – Password can be up to 21 alphanumeric characters in length. Confirm the password by re-entering it in the Verify Password field.
Manage Certificates
Click the Manage Certificates... button to:
- View or save existing certificates.
- Install certificates.
- Create certificates or certificate signing requests (CSR).
- Delete certificates.
The current selections are indicated by an asterisk (*). When you are satisfied with your selections, click Save Changes to save the settings, or Discard Changes to keep the previous settings.
|