HP 635n - JetDirect IPv6/IPsec Print Server How To Use Manual

How to use 802.1x on hp jetdirect print servers

Hide thumbs Also See for 635n - JetDirect IPv6/IPsec Print Server:

Administrator's manual (202 pages)

Manuallines (33 pages)

White paper (20 pages)

100

101

Table of Contents

Quick Links

Download this manual See also: Administrator's Manual, Appendix

How to Use 802.1X on HP Jetdirect Print Servers

May 2008

Need help?

Do you have a question about the 635n - JetDirect IPv6/IPsec Print Server and is the answer not in the manual?

Questions and answers

Summary of Contents for HP 635n - JetDirect IPv6/IPsec Print Server

Page 1: Table Of Contents
How to Use 802.1X on HP Jetdirect Print Servers May 2008 Table of Contents: Introduction ............................. 2 What is 802.1X? ..........................6 Public Key Infrastructure and Public Key Certificate Basics ..............7 What Equipment is Required for 802.1X?..................15 Installing the Internet Authentication Service (IAS) ................16 Installing a Certificate Authority (CA)....................
Page 2: Introduction
Introduction In many organizations, the properties assigned to a user determine the rights they have on the network. For example, some generic user types are shown in Figure 1 – User Types: Figure 1 - User Types An Authorized User is a user that has authenticated to the network and been given authorization to access certain resources.
Page 3 In many cases, the connection type determines what attempts are made to authenticate and authorize users. For example, a wireless connection or dial-in connection may require more stringent credentials than a wired connection. For wired networks, unfortunately, Authorized Users, Unauthorized Users, and Guests may have network access to the same equipment because no authentication and authorization is being done.
Page 4 ports 1 through 8 are always assigned to a specific VLAN – but as before, security can be circumvented simply by attaching a computer to the desired port. For Port-Based VLANS, what we really need are three separate solutions: (1) A way to authenticate users, (2) A way to grant authenticated users access to the network, and (3) A way to assign authenticated users to specific VLANs with network access restrictions, bandwidth constraints, and other controls.
Page 5 Figure 5 – Printing and Imaging VLANs As shown in Figure 5, printers and MFPs become full-fledged authenticated users of the network and are assigned parameters that help them participate in the security and protection of the network and its resources. This whitepaper will discuss IEEE 802.1X Port Access Control, in relation to printing and imaging environments.
Page 6: What Is 802.1X
What is 802.1X? IEEE 802.1X Port Access Control is a generic framework that allows infrastructure devices to control an end-node’s access to the network. From an Ethernet perspective, we can refer to Figure 6 – 802.1X Switch Port, and see the breakdown of the Ethernet switch. Local Intranet Ethernet Switch Switch Port 1...
Page 7: Public Key Infrastructure And Public Key Certificate Basics
Because Extensible is part of the name of EAP, there are multiple protocols that have been developed under the EAP framework. All HP Jetdirect products supporting 802.1X also support Protected EAP or PEAP. Many HP Jetdirect products also support EAP-Transport Layer Security or EAP-TLS. These two EAP flavors are the most popular for wired 802.1X deployments.
Page 8 Figure 9 – Certificate Details In Figure 9, we see there is a red X on the certificate, indicative of a security problem. In addition, there is a very specific error message: “This certificate cannot be verified up to a trusted certification authority.”...
Page 9 Unencrypted Message User Encryption Performed Message Delivery Decryption Performed User Unencrypted Message Figure 10 – Symmetric Cryptography In Figure 10, the confidentiality provided to the message is done via a single key. Because the same key is used for encryption and decryption, this process is known as symmetric cryptography. Symmetric cryptography commonly has two attributes associated with it: •...
Page 10 Figure 11 – Asymmetric Cryptography Here we can see the difference between asymmetric and symmetric cryptography. One key can be used for encryption and then the corresponding key can be used for decryption. It appears that asymmetric cryptography has solved the key distribution issue; however there are two new attributes usually associated with asymmetric cryptography •...
Page 11 A hash – also known as a message digest. A hash is the output of a one way function that • attempts to ensure the integrity of the message (i.e., that the message has not been altered). It is usually combined with authentication information to ensure that the message originator can be authenticated and that the integrity of the message has not been disrupted.
Page 12 Figure 13 – Digital Signature Verification Here we see how John uses Jack’s public key to verify the message. Jack’s public key is the only key that can decrypt the digital signature and obtain the hash value of the message that Jack calculated before sending the message.
Page 13 Create Jack’s Public Key Key Pair Jack Jack’s Private Key CA’s Public Key Identity Info + Jack CA’s Private Key Certificate Authority Jack’s Public Key (Also performs Identity Verification on Jack) Certificate Request Jack’s Private Key (Stays Private) Identity Info + CA Info + Jack’s Public Key Preliminary Certificate...
Page 14 Figure 15 – Public Key Certificates Here we can see that everyone’s public key certificate is, well – um, public. The important thing to note is that the certificate authority also has a public key certificate that identifies itself. This certificate is signed with its own private key and is a “self-signed”...
Page 15: What Equipment Is Required For 802.1X
can store one Identity certificate and one CA certificate. The CA certificate tells Jetdirect which identity certificates should be trusted (i.e., must be signed by that CA) when Jetdirect is receiving a certificate from another entity. Jetdirect’s Identity certificate is the certificate that is sent out when another entity requests it.
Page 16: Installing The Internet Authentication Service (Ias)
NOTE: The following sections describe in detail the various steps to use 802.1X. Various software programs are installed and configured. The installation and configuration of these programs, such as Microsoft’s Certificate Authority, are done for learning purposes and should not be considered as HP’s recommended configurations or installations for production networks.
Page 17 Select Networking Services and press Details. Then select Internet Authentication Service and press OK. Complete the wizard and allow the installation to complete.
Page 18: Installing A Certificate Authority (Ca)
Installing a Certificate Authority (CA) Where are we? Step 1 Installing Internet Authentication Service Step 2 Installing a Certificate Authority Step 3 Creating a Certificate Template Step 4 Issuing a Certificate Step 5 Creating a User for HP Jetdirect Step 6 Switch Configuration Step 7 HP Jetdirect Certificate Configuration...
Page 19 In this example, we are installing an Enterprise Root CA. Click Next. NOTE: If you select any other kind of CA, the certificate template functionality described below will not be available. Here is our CA identity information. Click Next and complete installation.
Page 20 The Microsoft Management Console is a framework that allows various “Snap-Ins” to be loaded. Each “Snap-In” manages a specific service. For example, there is a “Snap-In” to manage the Certificate Authority (or Certification Authority as Microsoft sometimes calls it). At this point, we want to load in separate Snap-Ins into the Microsoft Management Console (MMC). Snap-Ins are modules that provide specific management functionality to the MMC.
Page 21 Click Add. Select Certificate Templates, then press “Add”. Select Certification Authority, then press “Add”. Then press Close.
Page 22 Select “Local Computer”. Then click Finish. Select OK.
Page 23 Done.
Page 24: Creating A Certificate Template
Creating a Certificate Template Where are we? Step 1 Installing Internet Authentication Service Step 2 Installing a Certificate Authority Step 3 Creating a Certificate Template Step 4 Issuing a Certificate Step 5 Creating a User for HP Jetdirect Step 6 Switch Configuration Step 7 HP Jetdirect Certificate Configuration...
Page 25 Provide the names you would like the certificate template to have. Select the “Allow private key to be exported” checkbox in the Request Handling tab.
Page 26 Select the Application Policies extension in the Extensions tab. Click Edit. Click Add…...
Page 27 Select Client Authentication, then click OK. Click OK.
Page 28 Click OK. Now we have created a new certificate template, we need to enable it to be used by the Certification Authority. Select Certificate Templates under Certification Authority. Now right click and select New and then “Certificate Template to Issue”.
Page 29 Select HP Jetdirect and click OK. View the Certificate Templates folder in the Certification Authority snap- in MMC, and make sure that the HP Jetdirect template is present. Done.
Page 30: Issuing A Certificate
Issuing a Certificate Where are we? Step 1 Installing Internet Authentication Service Step 2 Installing a Certificate Authority Step 3 Creating a Certificate Template Step 4 Issuing a Certificate Step 5 Creating a User for HP Jetdirect Step 6 Switch Configuration Step 7 HP Jetdirect Certificate Configuration Step 8...
Page 31 Select “Current [RootCA]”, then DER (or Base 64 if you are using an older Jetdirect product), then click “Download certificate”, Click Save.
Page 32 Name the file “cacert.cer”. We’ll use this file later when we are configuring Jetdirect. We also want to install the CA certificate chain on the local computer. This will allow the browser to recognize certificates issued by the CA as trusted. Click “Install this CA certificate...
Page 33 Done Now we can begin creating an Identity Certificate for Jetdirect. Starting with Jetdirect firmware version V.36.11 and later, certificates created from CSRs and issued by the Enterprise CA can be installed. This method is a more secure way (and preferred way) of installing a certificate. If your HP Jetdirect firmware is earlier than V.36.11 (e.g., V.29.20, V.31.08), please refer to Appendix B for instructions on how to import a certificate.
Page 34 Select “Create Certificate Request” and then click “Next”. Enter in the fields that describe the devices. Click “Next”. Jetdirect generates the public/private key pair, which can take a little while.
Page 35 You can save the file, or you can simply copy the text starting and including “----- BEGIN CERTIFICAT REQUEST-----“ up to and including the last five dashes of the “END CERTIFICATE REQUEST-----“ Moving back to the web interface of the Enterprise CA. We have skipped a couple of screen shots and are at the...
Page 36 Here we paste in our Certificate Request and select the HP Jetdirect certificate template. Then click “Submit”. Now we have our certificate. Most Jetdirect cards support both DER and Base64, but all support Base64. Simply click “Download Certificate”.
Page 37: Creating A User For Hp Jetdirect
Save the certificate. We are going to use this file to Import into Jetdirect as well as associated a certificate with an Active Directory user. Creating a User for HP Jetdirect Where are we? Step 1 Installing Internet Authentication Service Step 2 Installing a Certificate Authority Step 3...
Page 38 In Active Directory Users computers, we want to go to the view menu and make sure “Advanced Features” is checked. Click on the Account tab and make sure that the Account Options has “Password never expires” selected. Enter the Logon name, typically the hostname, of...
Page 39 Click the Dial- In tab and select “Allow access”. Then Click OK. At this point, we will want to associate the public key certificate of the Jetdirect print server with the HP Jetdirect account. Select the HP Jetdirect user account. Right click and select Name Mappings.
Page 40: Switch Configuration
Select “X.509 Certificates” and “Add…” Now using the certificate that the CA issued to Jetdirect – “finance.cer” was the file, you can map it here. Click “OK”. Switch Configuration Where are we? Step 1 Installing Internet Authentication Service Step 2 Installing a Certificate Authority Step 3 Creating a Certificate Template...
Page 41: Hp Jetdirect Certificate Configuration
Figure 16 - Example Switch Configuration HP Jetdirect Certificate Configuration Where are we? Step 1 Installing Internet Authentication Service Step 2 Installing a Certificate Authority Step 3 Creating a Certificate Template Step 4 Issuing a Certificate Step 5 Creating a User for HP Jetdirect Step 6 Switch Configuration Step 7...
Page 42 In order to install HP Jetdirect certificates, the CA certificate, and configure 802.1X, we need to use the Embedded Web Server (EWS). Point IE at the IP Address of the HP Jetdirect device. With the 635n print server, the browser is automatically redirected to use SSL (https://) For other HP Jetdirect products, change the URL to use https:// rather than http:// to ensure that EWS communication is secure.
Page 43 Click “Yes” to continue. Once we replace the Jetdirect certificate, the above dialog will change. Here we have our home page of the HP Jetdirect device. Click the “Networking” Tab. This screen allows anonymous post sales information to be gathered about the HP Jetdirect configuration.
Page 44 At this point, you’ll be on the “TCP/IP Settings” link for Jetdirect. On the left hand navigation menu, select “Authorization”. Click the “Certificates” tab. There are two certificates on HP Jetdirect. One is the HP Jetdirect Identity certificate used for SSL, certain EAP protocols, IPsec, etc…...
Page 45 Click “Configure…” under the “CA Certificate” heading. Install is our only option. Click “Next”.
Page 46 Point the web browser to the “cacert.cer” file that was created earlier. Click “Finish”. Done! Now we want to install the Identity Certificate.
Page 47 Going back to the Jetdirect Certificate Wizard, we select the “Install Certificate” option. Click “Next”. Select the certificate file saved previously. Click “Finish” We are done! Now we have the files that represent Jetdirect’s identity certificate and the public key certificate of the CA we trust.
Page 48: Ias Configuration
IAS Configuration Where are we? Step 1 Installing Internet Authentication Service Step 2 Installing a Certificate Authority Step 3 Creating a Certificate Template Step 4 Issuing a Certificate Step 5 Creating a User for HP Jetdirect Step 6 Switch Configuration Step 7 HP Jetdirect Certificate Configuration Step 8...
Page 49 Here is the main screen for IAS. What we need to do is define the switch as a RADIUS Client. We know the switch that will be acting as Authenticator. Input a friendly name and the IP address of the switch. Click “Next”.
Page 50 Select “Radius Standard” from the drop down list for “Client- Vendor”. communicate with the radius server, a shared secret needs to be established. Use the same value as configured on the switch. Click “Finish”. Now that we have a client defined, we can define a Remote Access Policy. Don’t let the “Remote Access”...
Page 51 Create a new policy. A wizard starts. Click “Next”.
Page 52 Select “Use the wizard…” and give the policy a name. Since we are defining a policy for Printing and Imaging Devices, we’ll call it PID. Click “Next”. Select “Ethernet”. Click “Next”.
Page 53 Select “User”. Click “Next”. Select “Smart Card or other certificate”. Click “Next”.
Page 54 Click “Finish”. Highlight the PID policy and right click and bring up the Properties. Select “Grant remote access permission”. Press “Edit Profile…”.
Page 55 Uncheck all check boxes. Press “EAP Methods”. Select “Smart Card or other certificate” and then click “Edit…”...
Page 56 Select the certificate for the machine. Click OK. Highlight the “Connection Request Policies” and make sure it has “Use Windows authentication for all users”.
Page 57: Hp Jetdirect 802.1X Configuration
HP Jetdirect 802.1X Configuration Where are we? Step 1 Installing Internet Authentication Service Step 2 Installing a Certificate Authority Step 3 Creating a Certificate Template Step 4 Issuing a Certificate Step 5 Creating a User for HP Jetdirect Step 6 Switch Configuration Step 7 HP Jetdirect Certificate Configuration...
Page 58 accept it. As a good first step in getting 802.1X working, leave this field blank which instructs Jetdirect to match any name that is returned, provided the certificate is trusted. Encryption Strength: This field determines the minimum strength of the SSL tunnel by •...
Page 59 At this point, we want to move our HP Jetdirect to port 8 of the switch. This will force 802.1X authentication to happen. We can review the event log on the system that is running our IAS server to determine whether authentication has been successful or not. In the Event Viewer, under System,...
Page 60 Here we see that the printer was granted access! You can see a Jetdirect configuration page in Figure 20 where EAP-TLS was successful: Figure 20 – HP Jetdirect 802.1X Success If there were any issues with authentication, you won’t be able to access HP Jetdirect over the network.
Page 61: Understanding Certificate Chains
Figure 21 – HP Jetdirect 802.1X Failure In other words, once 802.1X is configured and then fails on an 802.1X port, moving the Jetdirect device to a non-802.1X port is not sufficient to restore network connectivity. Depending on the product, you will either have to “cold-reset” the Jetdirect device or go into the “Security” menu in the Jetdirect control panel menu and select “802.1X”, then “Reset”, then power down and then power-up.
Page 62 Figure 22 – CA Hierarchy In this example, RootCA is the top level CA, which is also called the Root. What usually happens at customer sites is that the Root CA is created and it issues one or more certificates to Subordinate CAs, also known as Intermediate CAs, and they do the dirty work of issuing certificates to various entities in the customer’s network.
Page 63 Figure 23 – Certification Path In the certificate itself, there is only one issuer which refers back to R2. We can see that in Figure 24: Figure 24 – Issued By What does R2’s certificate look like? We can see it in Figure 25:...
Page 64 Figure 25 – Issued By Notice that R2’s certificate is issued by RootCA. What does RootCA’s certificate look like? Let’s look at Figure 26. Figure 26 – Issued By...
Page 65 Notice the RootCA is “self-signed”. All Root CAs will be self-signed – these CAs represent the single point of trust. A logical question would be: “Which CA do I configure on Jetdirect?” Let’s look at diagrams. First, we have an incorrect configuration, as shown in Figure 27 – some Incorrect HP Jetdirect CA Configuration.
Page 66: Utilizing The Server Id Field On Jetdirect
RootCA’s Info + RootCA.example.internal RootCA’s Root Certificate Authority: RootCA Public Key RootCA’s Digital Signature RootCA’s Certificate R2.example.internal R2’s Info + Subordinate Certificate Authority: R2 R2’s Public Key RootCA’s Digital Signature What Certificates should be configured on R2’s Certificate Jetdirect so that 802.1X will be successful? hpprinter’s Info + RootCA’s Info + CORRECT!
Page 67 Figure 29 – IAS Certificate Click on the “Details” tab and go to the “Subject” line as shown in Figure 30.
Page 68 Figure 30 – IAS Subject Here we can see the Common Name (CN) in the subject field is ias.example.internal. This becomes the value that the server ID field must be configured to match. Before we get into that configuration, it is important to understand another practical deployment procedure used by customers to supply redundancy to their IAS infrastructure.
Page 69 Figure 31 – IAS Redundancy Usually, the switches are configured to point to both IAS servers in case one is unavailable. Assuming that ias2.example.internal is the Common Name for the second IAS server (in the certificate’s Subject field), Jetdirect now can receive one of two names for the Authentication Server ias.example.internal •...
Page 70 Figure 32 – Server ID Matching Let’s look at some examples that show the behavior of the Server ID field with two IAS servers configured as 802.1X Authentication Servers as shown previously: Example 1: Jetdirect Server ID: Blank. Result: If the Authentication Server’s certificate is •...
Page 71 In Figure 33, we see a proper configuration for this setup (Matching Example 2). Figure 33 – Correct Server ID For Example 2 In Figure 34, we see an improper setup.
Page 72: Wireless And 802.1X
Figure 34 – Incorrect Server ID In Figure 34, the user is trying to match the name IAS. However, this value will result in no matches based upon the Server ID field and the algorithm it uses. Wireless and 802.1X The new HP Jetdirect 690n Wireless 802.11b/g EIO card has 802.1X technology too.
Page 73 Only one network connection can be active at a time. Therefore, once the wireless settings • have been configured, unplugging the LAN cable is required so that the wireless interface will be used instead • When switching from wired to wireless (or vice versa), a reboot is required and is done automatically.
Page 74: Procurve Switches And Identity Driven Management
ProCurve Switches and Identity Driven Management This whitepaper has covered the configuration of 802.1X using an HP Jetdirect, and HP ProCurve 6108 switch, and Microsoft’s IAS. There are other tools that can supplement this configuration and make it much easier on the Administrator. Three of these tools are: ProCurve Manager, IDM Server, and IDM Agent.
Page 75: Appendix A: Troubleshooting 802.1X
Appendix A: Troubleshooting 802.1X Starting with V.38.05 and later firmware, HP Jetdirect has a new capability to log 802.1X information to the Security Page. In the control panel menu for Jetdirect, which starts as “Embedded Jetdirect” or “EIO Jetdirect”, enter the menu structure and then go to “Information”, then “Print Security Page”.
Page 76 Some important packets to look at: Packet 1 – start of the EAP process, requested by the Authenticator (switch). • • Packet 3 – start of the EAP-TLS process Packet 4 – Jetdirect sends it SSL/TLS Client Hello • Packet 11 – Packets 5, 7, 9, 11 are actually fragmented packets that comprise the Server •...
Page 77 Here, a simple mistake was made in the name: “wireles” was used instead of “wireless”. Here is what a network trace would look like.
Page 78 Here we see that an EAP request for identity is made via the Authenticator (packet 6). Jetdirect returns a response (packet 7) and then the Authenticator returns an EAP failure (packet 8). The first thing to check in this failure mode is the 802.1X User Name on Jetdirect. The Authentication Server does not recognize the user name that Jetdirect is sending back.
Page 79 Here we can see that we have an “unknown CA” error. In the log, the certificate issuer is RootCA but SSL is complaining that it cannot get the certificate for the local issuer. In other words, the certificate for RootCA is unavailable which points to the wrong CA certificate being installed on Jetdirect. Let’s look at a network trace.
Page 80 Here are the important packets in this trace: Packet 210 – Server Hello where the Authentication Server’s certificate is sent to Jetdirect. • Packet 211 – Jetdirect sends a NAK. • What has happened here is that Jetdirect does not accept the Authentication Server’s certificate and refuses to continue.
Page 81 Here we can see that there are 2 certificates being returned by the Authentication Server: “ias.example.internal” issued by R2, an intermediate certificate authority • “R2.example.internal” issued by RootCA, the root certificate authority. • The first certificate is the IAS server’s certificate that Jetdirect will check the Server ID field against. Therefore, the server ID field needs to be configured correctly based upon the common name of “ias.example.internal”.
Page 82 By looking at each certificate’s “Issuer” and “Subject” fields, we can determine what is Jetdirect is seeing. Since “ias.example.internal” is the Authentication Server certificate and its common name is shown as “ias.example.internal”, we know that the Server ID needs to be configured correctly to handle that value.
Page 83 Notice that “TLS Server Authentication finished successfully”. Based upon that message, we’ve eliminated a lot of things that could have gone wrong. However, the message “Alert Received: access denied” tells us that the client authentication failed. Let’s look at a trace and then we’ll talk about some of the things to check.
Page 84 Here we can see that the Server Hello was sent (packet 68) and it must have been accepted because Jetdirect sends the client certificate (packet 69) and did not send a NAK. However, after the client certificate is sent, the Authenticator returns a TLS Alert indicating “Access Denied”. There are a few of things to check: •...
Page 85 Here is the log output from a successful PEAP negotiation. An important thing to notice is the EAP- MSCHAPv2 client authentication method. There are a variety of ways that are used to send the username/password to the authentication server, this is one of them.
Page 86 Packets 17-24 are where the User Name / Password are sent over and verified. Packet 25 shows an EAP Success, which indicates that everything went fine. Note that in packet 14, it appears that the client certificate is sent over, but it is not. When using EAP-TLS, it is sent, but when using PEAP, the TLS connection is established without sending over the client certificate.
Page 87 The log shows password errors in PEAP very clearly! The network trace isn’t as clear.
Page 88: Appendix B: Importing A Certificate
Here we can see the failure is reported at packet 223 (after a delay of 30 seconds). This type of trace would indicate that there is a password mismatch between Jetdirect and the Active Directory account that represents Jetdirect. Appendix B: Importing a Certificate Bring up the web server for the CA.
Page 89 Click “Create and submit a request to this CA”.
Page 90 Be sure to select the Certificate Template “HP Jetdirect” and to check the checkbox entitled “Mark keys as exportable”. Click Yes.
Page 91 Click “Install this certificate” to install it on your local computer. We will export it and then delete it from this computer later. Click Yes.
Page 92 Done. At this point, we want to export the certificate so that it can be loaded with its private key into Jetdirect. We need to bring up MMC again and load the Certificates snap-in.
Page 93 Go to the File Menu and select Add/Remove Snap-In. Click “Add…”...
Page 94 Click “Certificates” Click “My user account”...
Page 95 Click “Local Computer” Select the folder “Certificates” under “Personal”. Highlight the Jetdirect certificate issued. Right Click and select “Export…”...
Page 96 “Certificate Export Wizard” launches – Press “Next” Since we are going to import this certificate into Jetdirect, we need to export the private key as well. Select “Yes, export the private key” and then click “Next”.
Page 97 Type a password to protect the private key. Click “Next”. Name the file “jdcert.pfx” and click “Next”...
Page 98 Click Finish Click Ok. If you did not use the certificate request method of generating a certificate, we’ll want to “Import the Certificate and Private Key” into Jetdirect.
Page 99 Now we’ll import the Jetdirect Certificate – click “Configure…” under the “Jetdirect Certificate” heading. Select “Import Certificate and Private Key”. Click “Next”.
Page 100 Select the “jdcert.pfx” file that contains the private key of Jetdirect and the password that was used to protect the private key. Click “Finish”.
Page 101 Done! © May 2008 Hewlett-Packard Development Company, L.P The information contained in this document is subject to change without notice. HP makes no warranty of any kind with respect to this information. HP specifically disclaims the implied warranty of merchantability and fitness for a particular purpose. HP shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in conjunction with the furnishing or use of this information.

This manual is also suitable for:

635n ipv6/ipsec