Network Integration, Eap-Ttls Security Mode - Barco ClickShare CSE-800 Installation Manual

6. CSE-800 Configurator
Image 6-30
Necessary Data to continue:
Domain
Identity
Corporate SSID
Click Next to continue with the upload of the client certificate.
Click Upload Client Certificate.
The client certificate you provide should be signed by the authoritative root CA in your domain and should be linked to the user you
specify in the Identity field. Also, make sure that the client certificate you provide contains the private key – this is necessary to set
up the TLS connection successfully.
ClickShare supports 2 formats for uploading a client certificate:
• PKCS#12 (.pfx) - An archive file format for storing multiple cryptography objects.
• Privacy Enhanced Mail (.pem) – A Base64 encoded DER certificate stored between 2 tags:
"-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
When the provided PKCS#12 file also contains the necessary CA certificate the Base Unit will extract it and
verify the chain of trust to avoid that you have to separately provide the CA certificate.
CA certificate
The CA certificate is the certificate of the authoritative root CA in your domain and will be used in setting up the EAP-TLS connection.
During the wizard the Base Unit will ensure that it can validate the chain of trust between the Client and CA certificates you provide.
ClickShare supports the common .crt file extension which can contain a Base64 encoded DER certificate.
When having problems connecting the Button to your corporate network, to get feedback from the Button
please have a look at the ClickShare Client log. This log can be pressing the holding Shift key when starting
the Client executable. Look for the lines "EDSUSBDongleConnection::mpParseDongleMessages". An error
code and a short summary of the issue should be logged.

6.15 Network integration, EAP-TTLS security mode

About EAP-TTLS
EAP-TTLS (Tunneled Transport Layer Security) is an EAP implementation by Juniper networks. It is designed to provide authen-
tication that is as strong as EAP-TLS, but it does not require each user to be issued a certificate. Instead, only the authentication
servers are issued certificates. User authentication is performed by password, but the password credentials are transported in a
securely encrypted tunnel established based upon the server certificates.
User authentication is performed against the same security database that is already in use on the corporate LAN: for example, SQL
or LDAP databases, or token systems. Since EAP-TTLS is usually implemented in corporate environments without a client certificate
we have not included support for this. If you prefer using client certificates per user we suggest using EAP-TLS.
How to start up for EAP-TTLS
1. Log in to the Configurator.
52
The company domain for which you are enrolling, should match with the one defined in your Active
Directory.
Identity of the user account in the Active Directory which will be used by the ClickShare Buttons to
connect to the corporate network. When using EAP-TLS make sure that the necessary mapping
exists between the Client Certificate issued by your CA and this user account.
The SSID of your corporate wireless infrastructure to which the ClickShare Buttons will connect.
R5900049 CLICKSHARE CSE-800 19/03/2018